Archive for June, 2009

Pass phrases – the illusion of security?

Tuesday, June 30th, 2009

Apparently one of our partners is looking at replacing their various
internal system and application passwords, which are subject to password
strength policies and regular expiration, with a universal passphrase,
which must be somewhat long, but which users can keep unchanged for about
a year at a time.

This is an interesting approach to the age-old password management
problem that most organizations face and it got me thinking about just
how secure passphrases really are.

Others have written on this subject, so I’ll try not to repeat too much:

I also talked to a friend of mine, who happens to be a linguist and knows
a thing or two about entropy in English-language text.

The bottom line is pretty simple:

* Users will most likely choose a series of words for passphrases.
Perhaps a sentence, which means something to them.

* There aren’t that many commonly used words in the English language.
I ran an analysis against all my mail folders, and found fewer than
20,000 distinct words (i.e., letter sequences that appear at least twice
in message text).

* If we assume a 5-word passphrase, the size of the search
space is at most 20k ^ 5 or 3.2 * 10^21 — sounds secure!

* BUT … the 100 most popoular words in my mail folder represented
over 50% of the word occurrences, so the real entropy is more like
200^5 or 300^5 — 3.2 * 10^11 to 2.43 * 10^12.

* This doesn’t even take into account grammar, which should make
some word pairs much more likely than others. I’d take 3*10^11
as a definite upper bound on the security of an English passphrase!

* My linguist friend suggested that the average entropy of a letter
in an English word is no more than 1.5 bits — if it were higher,
English would be too hard for us to learn. Since English words average
about 5 letters, that suggests an equivalent password strength of
1.5 ^ (5 * 5) = 25000. That seems a bit low to me — a lower bound?

In comparison, consider an 8 character password, with mixed case,
digits and 3 possible punctuation marks. Assume it’s really random —
password choice is subject to a policy engine which prevents the use of
dictionary words, etc. Such passwords should have an entropy of something
like (26+26+10+3)^8 = 3.2 * 10^14.

This makes the whole passphrase proposition sound a bit fishy to me.
Organizations should either use a *really long* passphrase, or still
require mixed case, special characters, etc. in their passphrase.
But if they do that — will users really benefit from passphrases?
Won’t they just be really really long passwords, which users still hate
and are even more likely to write down?

Of course, organizations could just stick with the “evil” they know
— modest-length passwords, that are subject to complexity rules and
change every 2-3 months. This structure has been analyzed to death and
we have a pretty good idea of how secure they are (or aren’t, depending
on the rules, etc.).

Hello World!

Tuesday, June 16th, 2009

Hello World!

Or perhaps that should be printf(“Hello, World!\n”); — because that
reflects my technical background.

I’m probably a bit late to the game, as this is my first blog post,
but the common wisdom seems to be that it’s better late than never.

About me

For those who don’t already know me, my name is Idan
Shoham and for the past 17 years I’ve been the CTO of a company now
called Hitachi ID Systems, Inc. (you may be more familiar with our old
name: M-Tech). At Hitachi ID we write software that helps medium to
large organizations better manage the identitities, security privileges,
passwords and other authentication factors of their users, both internal
(employees and contractors) and external (partners and customers).

This blog

The point of launching this blog is for me to share ideas and sometimes
rants — about identity management technology and projects, about
how to develop and deploy software in general, about how to secure
authentication, authorization and audit processes and more.

Hopefully this will be useful information to you — our visitors. This
blog should shed some light about our thought processes here at Hitachi
ID and about the direction we are taking with new products and services.

Why you should read this

I hope to make this blog interesting enough to attract return
visits. If you’re in the middle of an identity management project or
just starting one, you should find the posts helpful.
If you are developing or refreshing your organization’s identity
management strategy, I hope to help you choose a direction.


This blog is open to feedback from readers. Initially, I’ve left the
“moderated” setting on, but the parameters for accepting or rejecting
posts are pretty simple. Feedback will be allowed by default, and
rejected if and only if it is offensive, SPAM or wildly off-topic.

Hopefully you will post lots of feedback and we can make this a
conversation, rather than a publication.